InformationThe operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.
SolutionUpdate the /etc/fstab file so the option sec is defined for each NFS mounted file system and the sec option does not have the sys setting.
Example: vim /etc/fstab
Ensure the sec option is defined as krb5:krb5i:krb5p.
192.168.21.5:/mnt/export /data1 nfs4 rw,sync ,soft,sec=krb5:krb5i:krb5p
This Benchmark recommendation maps to:
Red Hat Enterprise Linux 7 Security Technical Implementation Guide:
Version 2, Release: 3 Benchmark Date: 26 Apr 2019
Vul ID: V-72311
Rule ID: SV-86935r4_rule
STIG ID: RHEL-07-040750
Severity: CAT II